[00:00.000 --> 00:04.760]  Welcome to Wicked War Driving with GPS and GLONASS. I'm White Shadow, and I'm going to
[00:04.760 --> 00:10.160]  be describing to you GPS, how it works, the data that you receive from GPS satellites,
[00:10.160 --> 00:14.320]  other satellite constellations that provide similar location data, some dongles you can
[00:14.320 --> 00:19.100]  use to receive all of that information and use that in your war driving efforts.
[00:20.120 --> 00:26.140]  So who am I? I'm a private staff sergeant from the US Air Force. I was in Space Command,
[00:26.140 --> 00:31.200]  which is now called the Space Force. Since getting out of the military, I've become a
[00:31.200 --> 00:37.340]  wireless security researcher. And some of my public works are SNF Air back in 2017,
[00:37.340 --> 00:43.240]  as well as last year, I presented at the DEFCON Wireless Village with Solstice on some attacks
[00:43.240 --> 00:50.440]  on WPA3-OWE. On the picture on the right there, you can see that's me and Solstice on stage
[00:50.440 --> 00:56.080]  last year. That's my Twitter profile picture there.
[00:58.000 --> 01:02.940]  So war driving, why do people do war driving? Before becoming a pen tester, I had this vague
[01:02.940 --> 01:06.620]  understanding of war driving that you could drive around and sniff wireless networks and
[01:06.620 --> 01:13.240]  then kind of plot them out. But why would anyone actually do that? Well, once I became
[01:13.360 --> 01:18.340]  a pen tester, I realized that there is a valuable need for this skill set. Many times clients
[01:18.340 --> 01:21.340]  could set up new wireless infrastructure in their building and they want to measure
[01:21.340 --> 01:26.460]  the signal bleed outside of their building. So performing a war drive for a client may
[01:26.460 --> 01:31.400]  be useful, or maybe they're just curious if their neighboring businesses are able to receive
[01:31.400 --> 01:36.120]  their Wi-Fi signal. So they may want a wireless pen tester to go out and do a war drive to
[01:36.120 --> 01:40.100]  measure how far the signal goes out and where exactly it can be picked up from.
[01:40.620 --> 01:47.780]  It could also just be done as a hobby. Wiggle.net is a great resource for this. You can see
[01:47.780 --> 01:51.920]  in the bottom right-hand corner the picture of Wiggle.net there. It's an open-source database
[01:51.920 --> 01:58.320]  that hobbyists can war drive and upload their results to, and anyone can upload to it and
[01:58.320 --> 02:03.620]  anyone can query it. So you can look up any of the data that has been uploaded there by
[02:03.620 --> 02:10.480]  hobbyist war drivers that drive around mapping Wi-Fi networks to GPS coordinates.
[02:11.320 --> 02:16.160]  And as I got into war driving professionally, I realized that the research on GPS dongles
[02:16.160 --> 02:22.140]  was extremely lacking. When it came to choosing a GPS dongle to perform war driving, there's
[02:22.140 --> 02:27.560]  basically only one that everyone has used. And whenever you ask somebody why they chose
[02:27.560 --> 02:32.680]  that dongle, the answer is usually, because somebody told me to use it. There really isn't
[02:32.680 --> 02:37.380]  much on it. If you Google it, it's really hard to find any information on it.
[02:37.720 --> 02:44.220]  So taking my experience from Air Force Space Command, I knew that GPS is an American-owned
[02:44.220 --> 02:50.100]  and operated satellite. Specifically, Air Force Space Command handles the operations
[02:50.100 --> 02:57.880]  of GPS. A little history on that. Satellite navigation goes back to the 1960s when the
[02:57.880 --> 03:03.380]  Navy had their own satellite. Other branches of the military had their own navigational
[03:03.380 --> 03:10.040]  satellites as well. The Air Force and the Army did. In 1968, the DoD made everyone collaborate
[03:10.040 --> 03:14.920]  together and act as one big happy family. So the Army satellites were decommissioned
[03:14.920 --> 03:19.920]  and the Air Force and Navy satellites combined into one constellation that was used for navigation
[03:20.460 --> 03:26.300]  up until 1978 when Navstar 1 was launched. So that is the first GPS as we know it today
[03:26.300 --> 03:33.780]  satellite that was launched. Since then, 72 have been launched with 24 currently in orbit.
[03:33.780 --> 03:40.800]  So they need 24 satellites to maintain worldwide coverage. Now there are additional satellites
[03:40.800 --> 03:46.660]  on orbit. You can see there's 33 up there in orbit about, give or take. These are referred
[03:46.660 --> 03:51.560]  to as on-orbit spares. These are typically older satellites that get pushed out as newer
[03:51.560 --> 03:56.900]  ones are launched to take their place. And these typically don't have the best capabilities
[03:56.900 --> 04:03.940]  so they're typically not in use. GPS is in a MEO orbit, or Medium Earth Orbit. This means
[04:03.940 --> 04:10.600]  that it goes around Earth twice a day. So one full orbit every 12 hours. Now there are
[04:10.600 --> 04:14.980]  other orbits out there that people should be familiar with such as LEO, Low Earth Orbit.
[04:14.980 --> 04:19.180]  These are things like the Space Station, which goes around the Earth every 90 minutes. So
[04:19.580 --> 04:26.280]  a LEO orbit is about 90 minutes, whereas a MEO orbit here is about 12 hours. There's
[04:26.280 --> 04:30.000]  other orbits out there such as HEO, a Highly Elliptical Orbit. This is when satellites
[04:31.200 --> 04:35.660]  have some kind of wonky orbit, typically to hang out over a certain position of Earth
[04:36.380 --> 04:42.920]  for a certain amount of time and then go around the Earth again. Then there's also GEO, Geostationary
[04:42.920 --> 04:48.820]  or Geosynchronous satellites as well. And those satellites are out so far from Earth
[04:48.820 --> 04:54.180]  that they're actually in sync with the Earth rotating. So they revolve around the Earth
[04:54.180 --> 04:58.560]  at the same rate that Earth rotates. This creates this illusion that these satellites
[04:58.560 --> 05:02.900]  are over a static point of Earth. A common example that everyone would know of this is
[05:02.900 --> 05:07.920]  satellite TV. Whenever the technician came over to set up your satellite TV at home,
[05:07.920 --> 05:13.760]  he set up a satellite dish, pointed it at a single point in the sky, screwed it in place,
[05:13.760 --> 05:18.560]  and then never touched it again because he pointed it at a satellite that is in a static
[05:18.560 --> 05:28.380]  point in the sky. Now, GPS uses trilateration to determine the location of an individual.
[05:28.460 --> 05:33.560]  So what is trilateration? It's hard to explain in the three-dimensional plane, so I'm going
[05:33.560 --> 05:39.540]  to do my best to describe it in the two-dimensional plane. Let's say you're somewhere in the U.S.
[05:39.540 --> 05:46.220]  and you turn on a GPS receiver. Well, the first satellite sees you and it's going to
[05:46.220 --> 05:50.820]  say you're within its spot beam here in this red circle. So according to that satellite
[05:50.820 --> 05:56.200]  with just data from that, your location is anywhere within this red circle. That's not
[05:56.200 --> 06:02.280]  very valuable. That's not very accurate. Now, your receiver picks up a second satellite.
[06:02.500 --> 06:07.900]  According to this satellite, you are anywhere within this blue circle. Again, individually
[06:07.900 --> 06:11.340]  that doesn't make a lot of sense because you could be anywhere, but you see where the circles
[06:11.340 --> 06:16.800]  overlap. You can start to see how this is whittling down to where we might be. Now,
[06:16.800 --> 06:21.520]  let's say a third satellite sees where you are and you're anywhere within the green circle.
[06:21.520 --> 06:25.440]  We can kind of see that these circles have overlapped at a common point. And when you
[06:25.440 --> 06:32.660]  zoom in on that, you can see that is how a latitude and longitude is calculated from
[06:33.540 --> 06:39.100]  GPS satellites using trilateration to find you on Earth. Now, you can use your imagination
[06:39.100 --> 06:44.140]  here to see if I were to continue to draw circles on this map, that the area where they
[06:44.140 --> 06:52.220]  overlap would get smaller and thus more precise. So we know GPS needs three satellites for
[06:52.220 --> 06:58.700]  trilateration. And there's four satellites visible at all times. Most satellite receivers
[06:58.700 --> 07:03.560]  typically won't provide information until they get that fourth lock from a fourth satellite.
[07:06.120 --> 07:09.760]  Instead of latitude and longitude, once you get the fourth satellite, you can also calculate
[07:09.760 --> 07:13.820]  altitude and additional things from there. The bottom line is, the more satellites you
[07:13.820 --> 07:18.160]  have, the more accurate the information is going to be. But what is that information?
[07:18.160 --> 07:21.880]  What is the data that comes down from these GPS satellites? Well, I have an example of
[07:21.880 --> 07:26.140]  it here. These are called NMEA messages. I know that's a funny word, and I'm going to
[07:26.140 --> 07:30.920]  skip over what it is right now, but I just want you to look at these messages. Now, you
[07:30.920 --> 07:37.760]  can see the... what I want you to pay attention to are the last three letters of these messages.
[07:37.760 --> 07:45.440]  GGA, GLL, GSA, GSV, RMC. These refer to the type of message that this is. The first two
[07:45.440 --> 07:50.640]  letters of each message indicate which satellite that it came from. So GP indicates that this
[07:50.640 --> 07:54.880]  message came from a GPS satellite. So you can see the different messages that we have
[07:54.880 --> 08:00.140]  here. And then at the bottom of the screen, you can see those are legitimate NMEA strings
[08:00.140 --> 08:03.760]  coming down from satellites in space. And so that's what they look like. That's what
[08:03.760 --> 08:10.800]  the data looks like coming down from space. So being an Air Force Space Command, I knew
[08:10.800 --> 08:17.480]  that I was aware of US GPS, but then I was also aware that other countries did not want
[08:17.480 --> 08:23.740]  to use US GPS just in case we went to war with them or something like that. They may
[08:23.740 --> 08:28.080]  want to jam GPS, so they created their own satellite constellations that do the exact
[08:28.080 --> 08:35.100]  same thing. So this is where Russian GLONASS comes in. So just like US GPS, Russia has
[08:35.100 --> 08:39.920]  their own satellite constellation that does the exact same job. It was originally launched
[08:39.920 --> 08:46.880]  in 1982. Since then, 27 satellites have been launched. 21 of them are in use, with 24 total
[08:46.880 --> 08:52.900]  in orbit. So they have about three on-orbit spares. And they accomplished the same task
[08:52.900 --> 08:59.540]  as GPS, which used 24 satellites in orbit, with only 21 satellites by using a slightly
[08:59.540 --> 09:06.800]  faster orbital period. Remember when I was talking about a medium Earth orbit, MEO, GPS
[09:06.800 --> 09:11.040]  satellites go around the Earth every 12 hours. Well, GLONASS goes around a little over 11
[09:11.040 --> 09:20.220]  hours. So after thinking about Russian GLONASS, I started thinking about why wouldn't you
[09:20.220 --> 09:25.880]  want to receive data from both? Thinking about GPS, at any given time, if you're in
[09:25.880 --> 09:32.980]  an empty field on a perfect day with perfect weather, you could receive 12 GPS satellites.
[09:32.980 --> 09:39.480]  With GLONASS, it's about 6 to 10, given where you are in Earth and given the weather conditions
[09:39.480 --> 09:45.340]  and everything. So why wouldn't you want to receive both? While GPS does have worldwide
[09:45.340 --> 09:50.660]  coverage, it's coverage around the poles in northern Europe, northern Russia, the coverage
[09:50.660 --> 09:56.440]  there is not that great. So GLONASS actually makes up for that. So again, it's making up
[09:56.440 --> 10:01.880]  for the areas where GPS is lacking. So why wouldn't you want to receive both? They both
[10:01.880 --> 10:06.040]  have worldwide coverage. This is a common misconception that people think that GLONASS
[10:06.040 --> 10:10.980]  receivers are only accurate in Russia, that you can only use a GLONASS receiver in Russia.
[10:11.600 --> 10:18.740]  Just how the US military uses GPS to guide ships, planes, and bombs, we want those ships, planes,
[10:18.740 --> 10:22.600]  and bombs to have accurate navigation data, whether they're in the US or whether they're
[10:22.600 --> 10:28.300]  in Russia or anywhere in the world. The same thing applies to GLONASS. Russia also has ships,
[10:28.300 --> 10:33.160]  planes, and bombs that are navigated by GLONASS, and they want that to have accurate navigational
[10:33.160 --> 10:38.740]  data regardless of where they are in the world. So both of these satellite constellations do work
[10:39.480 --> 10:44.740]  worldwide. And as I started looking into it, I realized a lot of smartphones have actually
[10:44.740 --> 10:50.420]  started implementing this. I believe the iPhone 7 or the iPhone 8 actually implemented a GPS and
[10:50.420 --> 10:56.880]  GLONASS receiver. So I was sitting there and continuing to think about constellations, and
[10:56.880 --> 11:03.040]  then I realized that Galileo is another one made by the European Space Agency. And it was first
[11:03.040 --> 11:11.000]  launched in 2011. Since then, 24 satellites have been launched, and mainly all their satellites
[11:11.000 --> 11:15.180]  are going through the process of being commissioned to be brought online. You see there's 14 satellites
[11:15.180 --> 11:22.440]  in use, but a lot of them are being tested and are being brought online to actually work with
[11:22.440 --> 11:30.900]  the constellation. And again, these are MEO satellites as well. And so when you look at all
[11:30.900 --> 11:37.500]  of these satellites and compare the pictures here, and if anyone's curious, all these pictures
[11:37.500 --> 11:45.600]  are from Kerbal Space Program, but you compare GPS on the left, 24 satellites for worldwide coverage,
[11:45.600 --> 11:52.700]  versus the satellites on the right, and you see how many there are there. The circles on the map
[11:53.860 --> 11:59.460]  of trilateration that you can draw increase numerously.
[12:00.440 --> 12:05.040]  So then I was wondering, well, how many satellite constellations are there? Well, there's several
[12:05.040 --> 12:12.880]  GNSS constellations. Europe has Galileo, Japan has QZSS, Russia has GLONASS, India has IRNSS,
[12:12.880 --> 12:19.140]  the U.S. has GPS, and China has Beidou. And they are all classified under this umbrella term
[12:19.140 --> 12:25.400]  of GNSS, Global Navigation Satellite System. Now that's confusing because that's also what
[12:25.400 --> 12:32.440]  GLONASS stands for. However, whenever you see GNSS, it's referring to all of the satellite constellations.
[12:33.740 --> 12:39.300]  And it's interesting because regardless of where the satellite constellation originates from,
[12:39.300 --> 12:44.360]  they all speak the same language, and that language is NMIA. That's that word that I said earlier
[12:44.360 --> 12:50.460]  I would skip over, and it stands for National Marine Electronics Association. So this is the
[12:50.460 --> 12:55.820]  standard that defines how data is transmitted in a sentence form from one talker to multiple
[12:55.820 --> 13:02.020]  listeners, from one satellite to multiple receivers on the planet at once. And you can see in this
[13:02.020 --> 13:08.560]  screenshot, these are NMIA strings or sentences sent from multiple satellites because you can see
[13:08.560 --> 13:16.460]  the last three letters of that message, GSV, GSV, GSV, but the first two indicate which satellite
[13:16.460 --> 13:23.960]  they came from. So GPGSV came from a GPS satellite. GLGSV came from a Russian GLONASS satellite.
[13:23.960 --> 13:30.080]  We have two more of these GL messages. Then we have a GAGSV message, which came from a European
[13:30.080 --> 13:36.700]  Galileo satellite. Then there's this GNRMC. That's another GNSS satellite. They're satellites that I
[13:36.700 --> 13:41.160]  didn't even mention in the previous slide that sit out in a geosynchronous orbit and provide
[13:41.160 --> 13:46.820]  error correction information. So we can receive all of these things because they speak a common
[13:46.820 --> 13:57.180]  language. So now that we know that GPS is not the only satellite that does location services,
[13:57.700 --> 14:02.320]  we know that they all speak a common language. Well, there's got to be dongles out there that
[14:02.910 --> 14:08.400]  could receive all this information, right? So that is what sent me on this quest to
[14:09.400 --> 14:16.520]  buy a bunch of dongles, analyze what they could do, see if I could reconfigure them in ways to
[14:16.520 --> 14:21.540]  receive additional satellite constellations, and then perform some tests with them. So
[14:23.220 --> 14:29.280]  aside from just going to Amazon and buying every GPS GNSS dongle I could find,
[14:29.280 --> 14:35.920]  these are the software tools that I used. So GPSD, this is what
[14:37.800 --> 14:42.460]  takes the information from your dongle and starts a server that you can connect to with tools like
[14:42.460 --> 14:49.000]  GPSmon to troubleshoot or just view the information, or Kismet. And Kismet will actually correlate
[14:49.000 --> 14:54.900]  that GPS data with the Wi-Fi information it sees so that you can war drive. Now the commands that
[14:54.900 --> 15:02.380]  I've laid out here, GPSD, tick D2, that's the debug level. So you can increase that number or
[15:02.380 --> 15:12.160]  decrease it and that'll change the verbosity of the output. Tick little n is to not wait for
[15:13.040 --> 15:19.300]  GPS lock before querying for messages. So that's important because you want to see those
[15:19.300 --> 15:24.180]  NMEA strings as they're coming down from the dongle without having to wait for it to receive
[15:24.180 --> 15:31.260]  full lock. Then the tick capital N there tells GPSD not to run as a background process and leave
[15:31.260 --> 15:38.940]  it in the foreground. Then I'm specifying my serial device. Then I'm using tick S and 2948 to specify
[15:39.680 --> 15:47.540]  a different port to host the GPSD service on. I did this because Kali has a service that it starts
[15:47.540 --> 15:54.540]  on 2947 which is the default for GPSD. So instead of just disabling that I just got in the habit of
[15:54.540 --> 16:04.180]  starting this on my own port. I'm also using GPSmon to troubleshoot or to just to analyze the
[16:04.180 --> 16:10.740]  information coming down from GPSD. And you can do that with GPSmon tick N which specifies GPSmon
[16:10.740 --> 16:18.560]  to look for NMEA strings. And then you specify localhost and the port that I used in starting
[16:18.560 --> 16:25.820]  GPSD. I also use the uCenter software from uBlocks which only works on Windows but it's extremely
[16:25.820 --> 16:32.620]  useful in configuring GPS dongles and GNSS dongles and I'll get into that a little bit later.
[16:32.980 --> 16:38.640]  And then I also used Kismet in this and it's important to note that you have to go into the
[16:38.640 --> 16:47.060]  Kismet config file and uncomment the line where it says that you want to use GPSD.
[16:48.640 --> 16:56.720]  So first up was the BU353S4. This is the dongle that everyone uses. This is the one that
[16:56.720 --> 17:04.620]  everyone recommends that everyone use and it's GPS only. So on the right side of the screen here
[17:04.620 --> 17:11.140]  we have output from GPSmon and I've highlighted some fields here. So on the left we see PRN and
[17:11.140 --> 17:17.300]  this number is the designator for each satellite in the constellation. So when it comes to USGPS
[17:17.300 --> 17:22.780]  you're only going to see numbers between 1 and 32 in this PRN field. Now at the very bottom of
[17:22.780 --> 17:27.040]  that PRN field you see a number that says 138. That is actually one of the geosynchronous
[17:27.040 --> 17:32.540]  satellites that sits out and provides error correction. Next to the PRN field I've highlighted
[17:32.540 --> 17:37.920]  SNN. That's the signal to noise ratio. So that shows you the signal that you're getting from a
[17:37.920 --> 17:43.960]  specific GPS satellite. And then on the far right of that picture I've highlighted the number of
[17:43.960 --> 17:50.280]  satellites and it says the number of satellites is seven. You can see that in the signal to noise
[17:50.280 --> 17:54.760]  ratio block that only seven of these satellites there are providing a signal there. So that's
[17:54.760 --> 17:58.260]  most likely why GPSmon is only showing seven satellites.
[17:59.940 --> 18:06.440]  So that's cool. Now in this example I'm using the older version of Kismet. Sorry if Dragorn is
[18:06.440 --> 18:11.220]  watching but actually this is a feature request if I could get this back into the newer version
[18:11.220 --> 18:18.240]  of Kismet because space nerds like to see GPS information like this. You can see on the top
[18:18.240 --> 18:24.120]  right I'm pulling down the NMEA strings straight from the serial device by just using the cat
[18:24.120 --> 18:29.240]  command and then specifying the serial device. And you can see the NMEA strings coming down
[18:29.240 --> 18:37.240]  from space. But on the left side after starting up Kismet and everything it can see the satellites
[18:37.240 --> 18:41.920]  however it says I don't have a signal. I don't have a strong enough signal on enough satellite
[18:41.920 --> 18:49.220]  to determine my location. And that's stressful. That's infuriating when you're trying to perform
[18:49.360 --> 18:53.340]  a war drive. Maybe there's bad weather outside or something and you just want to get it done.
[18:54.720 --> 18:57.660]  This isn't going to help anyone just sitting around waiting for lock.
[18:58.440 --> 19:02.800]  So this was what inspired me to look for additional dongles is because I've been in
[19:02.800 --> 19:06.900]  this situation many times on a wireless pen test when I'm waiting on this GPS dongle to lock up so
[19:06.900 --> 19:13.780]  that I can start my war drive or war walk and hurry up and get out of there. But you could see
[19:13.780 --> 19:19.560]  if we just had more satellites in space to lock up on other than the 32 in the entire GPS
[19:19.560 --> 19:24.880]  constellation you know maybe that would make it easier to obtain lock. So when I started talking
[19:24.880 --> 19:29.580]  to people about this this was one of the first dongles that was recommended to me.
[19:29.920 --> 19:37.180]  Now it's important to note it says GPS slash GLONASS. That slash means or and not both. So
[19:37.180 --> 19:45.580]  you can only configure this dongle to work with GLONASS or GPS and not both. And you can use the
[19:45.580 --> 19:52.260]  UCenter software to configure this. And I've highlighted the configuration screen from that
[19:52.260 --> 19:56.560]  on the right here. You can see it has all the satellite constellations that you could actually
[19:56.560 --> 20:02.500]  select. And some of them are grayed out. In this example Galileo, Beto, and IMES are grayed out.
[20:02.500 --> 20:14.300]  But GPS, SBAS, and QZSS are selectable. And whenever you select a configuration here
[20:14.300 --> 20:18.000]  at the bottom of this configuration menu there is a send button that you must push
[20:18.000 --> 20:25.860]  to push the configuration to the dongle. And again in this testing I found out very quickly
[20:25.860 --> 20:30.860]  that I could only configure this dongle for GPS or GLONASS. So I ended all my testing with that
[20:30.860 --> 20:35.980]  because I was looking for dongles that could do both. Now I wanted to talk about the UCenter
[20:35.980 --> 20:41.620]  software because it can be a pain to use, a pain to learn, and there's not a lot of resources out
[20:41.620 --> 20:46.440]  there on how to use it. Like I mentioned before, it's a Windows-only piece of software that you
[20:46.440 --> 20:53.500]  can download for free from their website. Once you install it and everything, you launch it,
[20:53.500 --> 20:58.100]  and then from the receiver drop-down menu you go into connection, and then you'll see the
[20:58.100 --> 21:04.260]  COM devices there for you to select your USB dongle. Once you've selected that, you can then
[21:04.260 --> 21:09.440]  go to the view drop-down, go to configuration view, select GNS config, and then you can actually
[21:09.440 --> 21:16.620]  select which satellite constellations you want to receive from. And I mentioned it before, but after
[21:16.620 --> 21:22.460]  you select which constellations you want to receive from, you go down to the bottom and click send,
[21:22.460 --> 21:27.320]  and then that will push the configuration to the dongle. However, you have to save that
[21:27.320 --> 21:32.980]  configuration after you have sent it. So from receiver drop-down menu, go to action and save
[21:32.980 --> 21:39.080]  config, and that will store that configuration in the memory on the dongle. So when you unplug it
[21:39.080 --> 21:43.700]  and then plug it into another computer, that configuration is saved there.
[21:45.520 --> 21:51.740]  Specifically, if you want to only receive GLONASS satellites. So I configured a dongle here to only
[21:51.740 --> 21:57.940]  receive data from GLONASS satellites. In the bottom left hand corner, you can see that GLONASS
[21:57.940 --> 22:03.540]  is the only constellation that is enabled. In the top left, you can see all the NMEA strings
[22:03.540 --> 22:10.820]  that are coming from GLONASS satellites indicated by the GL in front of every message. And then on
[22:10.820 --> 22:14.520]  the right side, I just have a pretty picture showing the Russian flag next to every satellite
[22:14.520 --> 22:21.620]  that I'm receiving a signal from. Now, once I save that configuration from the UCenter software,
[22:21.620 --> 22:25.960]  unplug that dongle from my Windows machine, and then plug it into my Linux computer,
[22:25.960 --> 22:32.800]  and use GPSD and GPSMOD to receive information. You can see here in GPSMOD, the PRN numbers are
[22:32.800 --> 22:38.660]  now between 65 and 88. That is because those are Russian GLONASS satellites that I'm receiving a
[22:38.660 --> 22:44.760]  signal from. And again, on the right side, I've highlighted that there's seven satellites I'm
[22:44.760 --> 22:49.660]  receiving signal from. And you can see that from the signal to noise ratio there that two satellites
[22:51.120 --> 22:58.220]  aren't reporting a signal. So this was one of the first dongles that I found that could do both.
[22:58.220 --> 23:01.760]  It was advertised as a GNS receiver. It said it could receive all the things.
[23:01.760 --> 23:07.900]  And I wanted to test it out. And just buying it and plugging it in to Kali Linux, it worked right
[23:07.900 --> 23:14.380]  out of the box. I was able to hook it up with KISMET after starting up GPSD. And then you can
[23:14.380 --> 23:20.080]  see from the output on the left side of the screen there from the GPSINFO and KISMET, you can see all
[23:20.080 --> 23:26.480]  the satellites that I'm receiving data from. So 1 through 32 would be U.S. GPS satellites, 65 through
[23:26.480 --> 23:33.520]  88 are Russian GLONASS satellites, and then 131, 135, 138 are the geosynchronous satellites that
[23:33.520 --> 23:43.610]  provide error correction data. So that's cool, but I want to receive more. And so I found this dongle
[23:43.610 --> 23:52.230]  that receives all of the things. GPS, GLONASS, Galileo, Beidou, QZSS. And you can see that in
[23:52.230 --> 24:00.730]  the U-Center software. You can see the first six satellites are U.S. GPS, then the next
[24:00.730 --> 24:07.170]  six or seven satellites are Russian GLONASS satellites, then there is another
[24:07.170 --> 24:11.350]  geosynchronous satellite that provides error correction, and then the final two satellites
[24:11.350 --> 24:18.810]  in that picture are European Galileo satellites. This is the same screenshot, but on the left side
[24:18.810 --> 24:25.770]  you can see the NMIA data coming down from them. You can see that the very top GL, GSA, came from a
[24:25.770 --> 24:34.030]  Russian GLONASS satellite. GA, GSA, come from a European Galileo satellite. GP, GSV, came from a
[24:34.030 --> 24:41.670]  U.S. GPS satellite. So we are receiving information from all three constellations
[24:41.790 --> 24:46.330]  with a single dongle. What does that look like in GPSMON? GPSMON couldn't even handle all the
[24:46.330 --> 24:52.450]  satellites that it was picking up, so this screen only goes to 11, and you can see on the right side
[24:52.450 --> 25:01.550]  that I picked up at least 15. And then I also showed the sentences block of GPSMON, and in this
[25:01.550 --> 25:08.430]  block you can see those messages that I was just referencing. GN, GGA, came from a GNSS satellite.
[25:08.430 --> 25:14.930]  GP, GSA, came from a GPS satellite. GL, GSA, came from a Russian GLONASS satellite. So this is a quick way
[25:14.930 --> 25:21.730]  to see how or to see what messages you're receiving and which satellites you're receiving from. So if
[25:21.730 --> 25:27.990]  you were to plug this into KISMET, what would that look like? Again, you can see I have lock on 23
[25:27.990 --> 25:36.670]  satellites, and again 1 through 32 is U.S. GPS. From there up to 83 is U.S. or Russian GLONASS,
[25:36.670 --> 25:46.030]  and then 309 and 312 are European Galileo satellites. Okay, so big whoop. You found all these GPS dongles,
[25:46.030 --> 25:50.150]  you found some that could pick up other satellites, but what does it mean? What does it mean to
[25:50.150 --> 25:57.090]  war driving, and what does it mean to accuracy in general? So I ran some tests. I set up equipment
[25:57.090 --> 26:03.670]  with each dongle and drove around a neighborhood, and let's see the results. So with GPS only, using
[26:03.670 --> 26:13.150]  the BU-353, you could see here that, yeah, it looks pretty good. I did a little loop over here in this
[26:13.150 --> 26:17.550]  neighborhood to kind of test the precision there. It looks a little off, but I mean for the most part
[26:17.550 --> 26:22.230]  it looks like I'm on the road. I was in a car, so I was on the street the entire time. So there are
[26:22.230 --> 26:25.190]  some areas where it looks like I was on the sidewalk, but for the most part this is pretty
[26:25.190 --> 26:31.990]  accurate. Next, I had one of the dongles configured for GLONASS only. So just using Russian GLONASS
[26:31.990 --> 26:37.570]  satellites, it kind of looks like I was off in the grass and driving over people's houses, but
[26:37.570 --> 26:44.430]  for the most part it still captured the same path. Then we have the GNSS receiver. So this is
[26:44.430 --> 26:52.870]  receiving all the things from GPS, GLONASS, Galileo. And you can see this actually looks much better.
[26:52.870 --> 26:58.110]  It looks like I'm in more in the center of the road, which is more closer to where I was actually
[26:58.110 --> 27:04.190]  driving. The circle around this tree up here looks a lot better, but let's compare all of them
[27:04.190 --> 27:11.950]  when we overlay them together. So the green lines are going to be GPS, GLONASS is red, and the GNSS
[27:11.950 --> 27:19.570]  receiver is yellow. So for the most part the tracks all look the same with GLONASS sticking
[27:19.570 --> 27:26.970]  out a little bit, but let's zoom in on that circle there. So you can see the way I drove this path
[27:26.970 --> 27:33.570]  was I came down through the top of that parking lot and did a lap around the tree and then left
[27:33.570 --> 27:40.350]  out the front entrance there. So with the yellow line you can see that I actually stayed on the road.
[27:40.350 --> 27:45.270]  With the green line it shows me off in the grass a little bit, but for the most part it's
[27:45.270 --> 27:51.410]  fairly accurate. And the red line from just GLONASS only information shows me running off in
[27:51.410 --> 27:57.790]  the grass and driving over cars like a monster truck, which is not what I did. But yeah, so what
[27:57.790 --> 28:04.550]  did we learn from that? In a rural area with not much in the way to obscure the sky, it really
[28:04.550 --> 28:11.630]  doesn't matter which dongle you use. They're all fairly accurate for the most part. I mean it wasn't
[28:11.630 --> 28:18.530]  off by too much if I was plotting Wi-Fi networks. But let's test this again in an area where
[28:18.530 --> 28:25.630]  there are things obscuring the view to the sky. So I drove to downtown Denver and ran the same test.
[28:25.830 --> 28:31.170]  So we can see here GPS. Wow, that looks pretty good. There's only a few sections there where
[28:31.170 --> 28:35.750]  it got a little squirrely going around the corners of some buildings, but for the most part that's
[28:35.750 --> 28:44.510]  really accurate. GLONASS only... I don't even know what happened. Clearly it can't handle
[28:44.510 --> 28:52.030]  an urban environment. But using the GNSS receiver, this was definitely the most accurate.
[28:52.170 --> 28:57.630]  In all the results there you can see it shows you exactly which street I'm on and you can see
[28:57.630 --> 29:06.470]  the path that I drove. Let's overlay them all together and you can see for the most part the
[29:06.470 --> 29:15.130]  GPS by itself was fairly accurate as well. It just got off path a little bit. But yeah,
[29:15.130 --> 29:19.790]  we can zoom in and see that there. That GPS kind of showed that I drove through a building and
[29:19.790 --> 29:25.210]  off through some trees, but for the most part it stuck close to the road where I actually was.
[29:25.250 --> 29:30.930]  And if we're mapping Wi-Fi networks in something like Wiggle or something like that,
[29:30.930 --> 29:35.410]  this information, it doesn't need to be the most accurate. I mean if you're sending someone on site
[29:35.410 --> 29:43.750]  to go and attack this Wi-Fi network, they're going to find it if they're within that same
[29:44.730 --> 29:52.970]  area that GPS is kind of saying that we went to. So while it is not the most accurate,
[29:52.970 --> 29:58.570]  it's still pretty accurate there. So the results here is that the GNSS dongle was the most accurate
[29:58.570 --> 30:05.990]  in all of the war driving results. GLONASS by itself was the least accurate, and the GNSS
[30:05.990 --> 30:11.610]  receiver locked up the fastest. In all of these cases when I was testing this out, what I did was
[30:11.610 --> 30:17.390]  I drove to the starting location, plugged in everything, and then sat there, waited for it
[30:17.390 --> 30:24.190]  to get locked, and then I gave each one 10 minutes to stay stationary before I conducted the drive.
[30:24.190 --> 30:32.450]  And the GNSS receiver locked up instantly every time, and that's simply due to the number of
[30:32.450 --> 30:38.670]  satellites in the sky that it can pull information from. So what do you want to look for when you're
[30:38.670 --> 30:45.150]  looking for a GNSS dongle? First, make sure it's a GNSS receiver. GNSS means that it receives all
[30:45.150 --> 30:50.650]  of the things. The uBlocks chipset is easy to configure with that uCenter software. Everything
[30:50.650 --> 30:58.270]  is point and click. There are some Python pip modules to interact with uBlocks chips or chipsets
[30:58.810 --> 31:03.770]  such as the one seen on the right here, which leads me to the third bullet point of looking
[31:03.770 --> 31:08.930]  at the supported operating system. When you're looking at various dongles, they may say it
[31:08.930 --> 31:14.890]  supports Windows. It may say it supports Linux. You want to make sure that it's going to work
[31:14.890 --> 31:18.930]  with the operating system that you're going to use in your war driving efforts. So this
[31:21.130 --> 31:26.490]  $200 Raspberry Pi hat isn't going to work with a Windows computer. It's important to note that.
[31:26.830 --> 31:32.270]  And I also wanted to note that I'm not telling you to buy the dongle that I
[31:32.850 --> 31:37.810]  used in this. I'm not saying that my research is the end-all be-all. All I wanted to do was
[31:37.810 --> 31:43.390]  provide enough knowledge to the community to be able to be educated enough to make decisions on
[31:43.390 --> 31:48.450]  what kind of dongles to buy. Now that you know that GPS is not the only satellite out there,
[31:48.450 --> 31:52.390]  you know what kind of data comes down from these satellites, and you know that there are dongles
[31:52.390 --> 31:57.750]  out there that can receive that NMEA data and determine location. So now that everyone is
[31:57.750 --> 32:05.610]  educated on this topic, you can go out there and do your own research. This SparkFun Pi hat was
[32:05.610 --> 32:12.330]  brought to my attention shortly before this presentation was made, so I didn't have enough
[32:12.330 --> 32:19.890]  time to play around with this and get it working enough to be a part of this presentation. But
[32:21.490 --> 32:26.150]  it's certainly up for anyone. Anyone could do that. I'm not the expert on this. I just wanted
[32:26.150 --> 32:31.930]  to provide my background knowledge, the fundamental knowledge of how GPS works, so that everyone else
[32:31.930 --> 32:35.330]  could go out there and make the same kind of decisions that I did. Just buy a bunch of dongles
[32:35.330 --> 32:41.090]  and do the research yourself and try to find out what works best for you. Now that you are armed
[32:41.090 --> 32:44.930]  with all that knowledge, and you can go out there and buy your own dongles, and you know exactly
[32:45.610 --> 32:51.930]  what's coming down from space to provide your location, go war drive the world. Wiggle's doing
[32:52.110 --> 32:58.970]  a war driving contest with Defcon this year as part of their wireless CTF. Check it out, sign up,
[32:58.970 --> 33:04.590]  select a block on the world, war drive some access points, and collect some points.
[33:07.030 --> 33:10.730]  If you want to continue the conversation with me on war driving, you can find me
[33:10.730 --> 33:16.550]  twitter at TheDerricott. If you want to see projects that I'm working on, there's my github link.
